It's been a while without any major exploits in the Wii U scene, so I present to you:

USB Descriptor Parsing Is Hard (UDPIH)​

An exploit for the Wii U's USB Host Stack. Pronounced like "mud pie" without the M.

The write-up can be found here!

What does this mean?​

Since the USB Stack is running before anything on the PPC side of the Wii U is booted, this allows unbricking things like CBHC bricks without any soldering!

Supported devices:​

• Raspberry Pi Pico (W) / Pico 2 (W)
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch capable of running udpih_nxpayload

Instructions​

Device Setup​

Follow the setup guide for the device you want to use below:

• Raspberry Pi Pico / Pico 2
• Raspberry Pi Zero (W) / A / A+ / Zero 2 W / 4 / 5
• Steam Deck
• Espressif ESP32 S2 / S3
• Nintendo Switch

Booting the recovery_menu​

Important notes for this to work:

• Make sure no other USB devices are attached to the console.
• Only use USB ports on the front of the console, the back ports will not work.
• If your console has standby mode enabled, pull the power plug and turn it on from a full coldboot state.

• Copy the latest release of the recovery_menu to the root of your FAT32 formatted SD Card.
• Insert the SD Card into the console and power it on.
• As soon as you see the "Wii U" logo on the TV or Gamepad plug in your prepared UDPIH device.
  This timing is important. If you're already in the menu, the exploit won't work.
  Depending on the device, you might have to plug it in sooner or later. This might take several attempts.
  If you get no video output or a distorted screen, your timing was most likely wrong.
• After a few seconds you should be in the recovery menu.

So what's this recovery menu? The recovery menu allows you to fix several bricks:

Wii U Recovery Menu​

A simple recovery menu running on the IOSU for unbricking.

Options​

Set Coldboot Title
Allows changing the current title the console boots to.
Useful for unbricking CBHC bricks.
Possible options are:

• Wii U Menu (JPN) - 00050010-10040000
• Wii U Menu (USA) - 00050010-10040100
• Wii U Menu (EUR) - 00050010-10040200

On non-retail systems the following additional options are available:

• System Config Tool - 00050010-1F700500
• DEVMENU (pre-2.09) - 00050010-1F7001FF
• Kiosk Menu - 00050010-1FA81000

Dump Syslogs
Copies all system logs to a logs folder on the root of the SD Card.

Dump OTP + SEEPROM
Dumps the OTP and SEEPROM to otp.bin and seeprom.bin on the root of the SD Card.

Start wupserver
Starts wupserver which allows connecting to the console from a PC using wupclient.

Load Network Configuration
Loads a network configuration from the SD, and temporarily applies it to use wupserver.
The configurations will be loaded from a network.cfg file on the root of your SD.
For using the ethernet adapter, the file should look like this:

type=eth

For using wifi:

type=wifi
ssid=ssidhere
key=wifikeyhere
key_type=WPA2_PSK_AES

Pair Gamepad
Displays the Gamepad Pin and allows pairing a Gamepad to the system. Also bypasses any region checks while pairing.
The numeric values represent the following symbols: ♠ = 0, ♥ = 1, ♦ = 2, ♣ = 3.
Note that rebooting the system might be required to use the newly paired gamepad.

Install WUP
Installs a valid signed WUP from the install folder on the root of your SD Card.
Don't place the WUP into any subfolders.

Edit Parental Controls
Displays the current Parental Controls pin configuration.
Allows disabling Parental Controls.

Debug System Region
Fixes bricks caused by setting productArea and/or gameRegion to an invalid value. Symptoms include being unable to launch System Settings or other in-region titles.

System Information
Displays info about several parts of the system.
Including serial number, manufacturing date, console type, regions, memory devices...

Load BOOT1 payload
Loads a payload from the root of the SD Card named boot1.img and executes it from within boot1.
If the file is named boot1now.img it gets loaded automatically when starting the recovery_menu after a 5 second timeout.

Credits​

• @Maschell for the network configuration types
• @dimok789 for mocha
• @hexkyz for hexFW
• @rw-r-r-0644 for the lolserial code

Special thanks to Maschell, rw-r-r-0644, QuarkTheAwesome, vgmoose, exjam, dimok789, and everyone else who contributed to the Wii U scene!

 

[V10lator]

I suppose there‘s nothing else to be done by someone like me, right?

Do you have a NAND backup and some basic soldering skills? There is a mod to replace the eMMC with a simple SD card and it doesn't seem to be that hard to do (you don't even have to solder the eMMC out).

//EDIT: See https://gbatemp.net/threads/how-i-fixed-160-0103-system-memory-error.626448/ for more informations about this mod.

 

[crazillo]

Do you have a NAND backup and some basic soldering skills? There is a mod to replace the eMMC with a simple SD card and it doesn't seem to be that hard to do (you don't even have to solder the eMMC out).

//EDIT: See LINK for more informations about this mod.

You mean the MLC? No, Unfortunately I don't think I have the NAND backup. Didn't know about the SD card solution though, that's actually slick...

What I find a bit surprising is that I didn't get any error codes on screen at all.

I really appreciate the attempt to help! But I guess I'll just have to go for a replacement unit then. Just sucks for the savefiles and activity logs mostly. A good friend always heavily criticized the way Nintendo handeled the account system on the Wii U, and I must say he was right in retrospect.

 

[GabCupim]

Thanks. Now the bad news: There's definitely corruption on the MLC. Can't find a hint about a hardware defect through so this could just be filesystem corruption beyond repair. Normally I would suggest to flash back a NAND backup but



Anyway, let's wait what others say about this.

Thank you anyway @V10lator! I'll just accept it's gone. It served me well!

 

[Barracuda]

I have a problem with nintendo switch UDPIH not patched. In the last row they all give me 0x4 and I don't see the recovery menu.

 

[viledisgorgement]

I'm guessing my Wii U has some serious corruption since I can't get it to output video anywhere. I'm able to blindly load the recovery menu and was able to grab the logs. I tried setting the cold boot title a few times to no avail. It ends up just getting stuck infinitely on the Wii U logo on the gamepad. Tried a few SD cards, Raspberry Pi Pico and Hacked Switch. Anyone have any ideas based on these logs?

 

[Maschell]

I'm guessing my Wii U has some serious corruption since I can't get it to output video anywhere. I'm able to blindly load the recovery menu and was able to grab the logs. I tried setting the cold boot title a few times to no avail. It ends up just getting stuck infinitely on the Wii U logo on the gamepad. Tried a few SD cards, Raspberry Pi Pico and Hacked Switch. Anyone have any ideas based on these logs?

Your NAND (HYNIX) is dead

0:00:05:188: mmc_core card err: idx=3, lba=55252992, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:228: mmc_core card err: idx=3, lba=55252992, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:228: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:05:288: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:11, pathnull)
00:00:05:288: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeCn.ttf, err -196673
00;00;05;168: ***LoadShared - WaitLoadComplete(8388608,4721996) failed with error -196673 on file "CafeCn.ttf".
00:00:05:618: NET: Change admin state (1 -> 2)(iface:0 link:2)
00:00:05:737: mmc_core card err: idx=3, lba=55283712, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:775: mmc_core card err: idx=3, lba=55283712, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:775: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:05:808: mmc_core card err: idx=3, lba=55284736, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:846: mmc_core card err: idx=3, lba=55284736, blks=1024, xfer=0x1, ret=0x00200b40
00:00:05:846: mdblk: err=-131099, mid=0x90, prv=0x5c, pnm=[HYNIX ]
00:00:06:126: FSA: ### MEDIA ERROR ###, dev:mlc01, err:-2228230, cmd:11, pathnull)
00:00:06:126: failed to read file /vol/storage_mlc01/sys/title/0005001b/10042400/content/CafeTw.ttf, err -196673
00;00;06;006: ***LoadShared - WaitLoadComplete(0,8229724) failed with error -196673 on file "CafeTw.ttf".

 

[tryingtofixmywiiu]

Hey Gary, my Wii U is a black color model and the european region model (im in europe) and i copied the recovery menu into my sd card and plugged the sd card into the wii u, when i booted my wii u the recovery menu didn’t appear and it’s as if i never plugged an sd card. I have the error 0103 brick and the reason my wii u bricked is because back in my teen self thought it was a good idea to do haxchi coldboot without knowdlege and with a youtube tutorial because i was tired of launching homebrew through internet and not in a direct boot (dumb decision), when my wii u bricked i searched for solutions for years but nothing, yesterday i was looking into my old boxes and things then i found my wii u laying in one of my boxes, i tried to look again for a solution and came to this post but as i said the recovery menu did not appear in the wii u, it’s just the common wii u logo with the white background then the error displaying, do i need to put something else or something more in the sd card or is my wii u unfixable?? Also I don’t have the gamepad as i sold it years ago and neither a pico, but i do have a switch the issue is that it’s patched and its a 2017 model, i saw that you can interact with the recovery menu with the power and eject buttons so i hope i don’t need any pico or anything like that. what should i do?

 

[V10lator]

@tryingtofixmywiiu You need a Pico as that's what hacks into the Wii Us USB driver to load the recovery menu from the SD card. A Pico is just like $5 through.

 

[tryingtofixmywiiu]

@tryingtofixmywiiu You need a Pico as that's what hacks into the Wii Us USB driver to load the recovery menu from the SD card. A Pico is just like $5 through.

can i use usb pendrive instead to do it? like copy and paste the recovery menu into the pendrive and plug it into the wii u, does it work?

 

[V10lator]

can i use usb pendrive instead to do it?

No. UDPIH (the thing exploiting the Wii Us USB stack) is short for "USB Descriptor Parsing Is Hard" (cause Nintendo f***ed up USB descriptor parsing), so you need a device able to fake USB descriptors. Not only one of them but multiple in a row. A Pico can do this with ease, a unpatched Switch can do so, too. A RPI zero can do it also. A few other linux based SBCs can do so, too, and for all of them UDPIH is available.

//EDIT: Also the recovery menu needs to be on the SD card no matter what. UDPIH is just kind of a stage loader exploiting the Wii Us USB stack and loading the recovery menu from the SD card.

 

[dvdpenachio]

Hoping to get some help.. I'm having a similar issue.. my Wii U is stuck on the "Delete and Erase All Content" screen after about 15secs. I was able to get logs, using the recovery_menu. If someone would be able to look at them it would be much appreciated!

 

[Knot51]

Hello . i managed to enter the recovery menu with my switch . i have the error code 160-0101 , i did the coldboot title got a succes message restarted the console but it still goes to the error code 160-0101 , im attaching logs. before the brick console was on latest tiramisu, my sd card went corrupt so i used "deccafinator" app to restore my vWii and then it went into the error code above , i looked at the logs but couldnt find anything related "memory error" "corruption" etc


Edit: Sorry it was false alarm, the code showed because i had a WII game in the Drive . when i took out the game wiiu boots no problem

​

​

 

[Coolandmore]

can i use an arduino uno instead of the pico

Post automatically merged: Apr 13, 2023

can i use a arduino uno instead

 

[pankos]

Have anybody tried to pair gamepad with no tv output as described here:

https://github.com/GaryOderNichts/recovery_menu/issues/19

Could somebody make and share ready to use modification of whatever file/menu mentioned in above link.

 

[godreborn]

Have anybody tried to pair gamepad with no tv output as described here:

https://github.com/GaryOderNichts/recovery_menu/issues/19

Could somebody make and share ready to use modification of whatever file/menu mentioned in above link.

you don't need to pair a gamepad with the recovery menu. it uses the controls on the system itself, eject and power iirc.

 

[pankos]

you don't need to pair a gamepad with the recovery menu. it uses the controls on the system itself, eject and power iirc.

I can't understand you point. My wiiu doesn't have any tv output and it is not paired with any gamepad. Connecting gamepad would allow to play at least some games on it and maybe change tv output settings. Of course if console is still alive. I hope it is, as I am able to dump system logs navigating UDPIH blindly.

 

[BaamAlex]

I can't understand you point. My wiiu doesn't have any tv output and it is not paired with any gamepad. Connecting gamepad would allow to play at least some games on it and maybe change tv output settings. Of course if console is still alive. I hope it is, as I am able to dump system logs navigating UDPIH blindly.

He meant that you can use the recovery without the gamepad. For most of the games, a gamepad is required. That's right. But that's not the point here.

 

[V10lator]

He meant that you can use the recovery without the gamepad. For most of the games, a gamepad is required.

The user in question said that HDMI isn't working, so impossible to pair a gamepad and as a result impossible to use the Wii U.

@pankos A version of the recovery menu which dumps the pairing code to the SD card is in the works. With this you should be able to pair the gamepad blindly.

 

[pankos]

The user in question said that HDMI isn't working, so impossible to pair a gamepad and as a result impossible to use the Wii U.

@pankos A version of the recovery menu which dumps the pairing code to the SD card is in the works. With this you should be able to pair the gamepad blindly.

Exactly!
After reading commentary on GitHub I was only hoping that somebody here already compiled new version with ability to dump pairing pin to the SD card. Anyway looking forward to try a new version once it's released.

 

[gorgyrip]

I have a japanese console stuck in component video mode. I don't have the gamepad.
I'm using a pico and udpih isn't working on this console. (it works on many other consoles).
The drives makes 3 sounds: sound - pause - sound - pause - short sound. other consoles that i have and are working with udpih only make 2 sounds.
The usb port is working, because when i insert a usb stick, the console detects it.
The console has 2 users, one of them has an exclamation mark, i think it's something about internet.
There's no purple light and the console boots normally. I've tried different timings. What am I missing?